diff --git a/mbuni/ChangeLog b/mbuni/ChangeLog
index ca8dbfc..afd8f36 100644
--- a/mbuni/ChangeLog
+++ b/mbuni/ChangeLog
@@ -1,5 +1,5 @@
 2007-04-10 P. A. Bagyenda <bagyenda@dsmagic.com>
-	* Added Digest/MD5 HTTP authentication support (out-going)
+	* Added outgoing Digest/MD5 HTTP authentication support (thanks to Gert Horne <gert@bluetin.co.za> for funding)
 2007-04-10 P. A. Bagyenda <bagyenda@dsmagic.com>
 	* MM7/SOAP XMLNS string now configurable via setting per-MMC (or per-VASP) interface version
 2007-04-02 Vincent Chavanis <vincent@telemaque.fr>
diff --git a/mbuni/mmlib/mms_util.c b/mbuni/mmlib/mms_util.c
index 750821f..8ea399f 100644
--- a/mbuni/mmlib/mms_util.c
+++ b/mbuni/mmlib/mms_util.c
@@ -1290,9 +1290,9 @@ static int fetch_url_with_auth(HTTPCaller *c, int method, Octstr *url, List *req
      char *nonce_count = "00000001";
      Octstr *A1 = NULL, *A2 = NULL, *rd = NULL;
      List *qop = NULL, *l = NULL;
-     int i, status = HTTP_UNAUTHORIZED;
+     int i, status = HTTP_UNAUTHORIZED, has_auth = 0, has_auth_int = 0;
      HTTPURLParse *h = parse_url(url);
-     unsigned char mdbuf[HASHLEN*2], *xs;
+     unsigned char mdbuf[1+HASHLEN*4], *xs;
      char *m_qop = NULL;
      time_t t  = time(NULL);
      
@@ -1322,7 +1322,9 @@ static int fetch_url_with_auth(HTTPCaller *c, int method, Octstr *url, List *req
 	  Octstr *x = gwlist_get(l, 0);
 	  octstr_insert(x, octstr_imm("_none; "), 0); /* make it easier to parse. */
 	  octstr_destroy(xauth_value);
-	  xauth_value = x;
+	  xauth_value = octstr_duplicate(x);
+	  
+	  gwlist_destroy(l, (gwlist_item_destructor_t *)octstr_destroy);
      } else 
 	  warning(0, "Mal-formed Digest header (%s) while fetching (%s)!", 
 		  octstr_get_cstr(xauth_value), url ? octstr_get_cstr(url) : "");
@@ -1334,8 +1336,17 @@ static int fetch_url_with_auth(HTTPCaller *c, int method, Octstr *url, List *req
      algo = get_stripped_param_value(xauth_value, octstr_imm("algorithm"));
 
      if ((x = get_stripped_param_value(xauth_value, octstr_imm("qop"))) != NULL) {
+	  int i;
 	  qop = octstr_split(x, octstr_imm(","));
 	  octstr_destroy(x);
+	  for (i = 0; i<gwlist_len(qop); i++) { /* find qop options. */
+	       Octstr *s = gwlist_get(qop, i);
+	       if (!s) continue;
+	       if (octstr_str_case_compare(s, "auth") == 0)
+		    has_auth = 1;
+	       else if (octstr_str_case_compare(s, "auth-int") == 0)
+		    has_auth_int = 1;
+	  }
      }
      
      /* from here on, libssl is required. */
@@ -1343,7 +1354,7 @@ static int fetch_url_with_auth(HTTPCaller *c, int method, Octstr *url, List *req
      if (qop || 
 	 (algo != NULL && octstr_str_case_compare(algo, "MD5-sess") == 0)) {
 	  unsigned char *x = MD5((void *)&t, sizeof t, (void *)mdbuf);
-	  cnonce = octstr_create_from_data((void *)x, HASHLEN);
+	  cnonce = octstr_create_from_data((void *)x, 4);
 	  octstr_binary_to_hex(cnonce,0);
      }
 
@@ -1368,14 +1379,10 @@ static int fetch_url_with_auth(HTTPCaller *c, int method, Octstr *url, List *req
      x = octstr_format("%s:%S",
 		       http_method2name(method), 
 		       h->path);
-     if (qop != NULL && /* if qop, and qop=auth-int */
-	 gwlist_search(qop, "auth-int", 
-		       (gwlist_item_matches_t *)octstr_str_case_compare) != NULL &&
-	 gwlist_search(qop, "auth", 
-		       (gwlist_item_matches_t *)octstr_str_case_compare) == NULL) {
+     if (qop != NULL && has_auth_int && !has_auth) { /* if qop, and qop=auth-int */
 	  Octstr *y; 
 	  m_qop = "auth-int";
-
+	  
 	  xs = MD5((void *)octstr_get_cstr(body), octstr_len(body), (void *)mdbuf);
 	  y = octstr_create_from_data((char *)xs, HASHLEN);
 	  octstr_binary_to_hex(y,0);